Privacy Policy

Phoenix Horizon, Inc. ("Phoenix," "we," "us," or "our") operates Rush, an AI agent operating system. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Rush and related services.

By using Rush, you consent to the data practices described in this policy. If you do not agree, please do not use our services.

This policy supplements the Phoenix Horizon Privacy Policy, which covers all Phoenix products and services.

Account Information

• Email address
• Name (if provided)
• Profile photo (via OAuth providers)
• Payment information (processed by Stripe)

Google API Data

When you connect your Google account, Rush requests access to the following scopes:

• Gmail (read, send, modify) — To enable the Inbox Ninja agent to triage, summarize, and draft email responses on your behalf
• Google Calendar (read, write) — To enable calendar-aware agents that schedule events and check availability
• Google Spreadsheets — To enable data analysis agents that read and write spreadsheet data
• User info (email) — To identify your account

Rush's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Other Connected Services

When you connect additional third-party services, we access data based on the permissions you grant:

• Twitter/X: Profile information, ability to post tweets and read your timeline
• Slack: Workspace information, channel messages, and ability to post messages

Token Storage

OAuth tokens are stored locally on your device at ~/.rush/user.yaml with restricted file permissions (mode 0600, readable only by your user account). Tokens are also transmitted to our servers for session management and token refresh.

Usage Data

• Session identifiers and execution logs
• Agent usage metrics (tokens consumed, cost, duration)
• Tool calls and error information (metadata only, not content)
• Device information (OS, app version)
• IP address

Local Data

Rush stores the following data locally on your device in the ~/.rush/ directory:

• Session histories (conversation logs with agents)
• OAuth tokens for connected services
• Installed agent packages
• User preferences and settings

We use collected information to:

• Provide, maintain, and improve Rush
• Process transactions and send billing notifications
• Execute agent actions on your behalf via connected services
• Monitor usage for security, abuse prevention, and debugging
• Generate aggregated analytics to improve our products
• Communicate with you about updates and support
• Comply with legal obligations

Data obtained through Google APIs is used exclusively to provide the agent features you explicitly invoke:

• Gmail data is used by the Inbox Ninja agent to read your inbox, summarize messages, and draft responses. Email content is processed in real-time and is not stored on our servers.
• Calendar data is used by calendar-aware agents to check your availability and create events. Calendar data is not stored on our servers.
• Spreadsheet data is used by data analysis agents to read and write to your spreadsheets as instructed.

We do not:

• Use Google user data for advertising
• Sell, rent, or share Google user data with third parties except as necessary to provide the service (e.g., sending prompts to LLM providers to execute your requested agent task)
• Use Google user data to train AI models
• Store Google user data on our servers beyond what is necessary for session management and token refresh

• Email body content on our servers — Email content is processed in-memory for agent tasks and is not persisted server-side
• Raw prompts and responses — We log metadata (token counts, costs) but not the actual content of your conversations
• File contents — Files are processed locally; contents are not uploaded unless explicitly shared
• Passwords — We use OAuth; we never see or store your passwords

LLM Providers

Agent prompts (which may include data from your connected services) are sent to LLM providers to execute tasks:

• Anthropic — Privacy Policy
• OpenAI — Privacy Policy

Infrastructure

• Supabase — Authentication and database
• Cloudflare — CDN and security
• Hetzner — Server infrastructure (EU)
• PostHog — Product analytics

Local Storage: Sensitive data (OAuth tokens, session histories) is stored locally on your device with restrictive file permissions.

Server Storage: Usage analytics, billing data, and session metadata are stored on our servers. We use industry-standard encryption in transit (TLS) and at rest.

Retention: We retain usage data for as long as necessary to provide our services, typically up to 24 months for analytics data. You may request deletion at any time.

We do not sell your personal data. We may share data:

• With your consent — When you explicitly authorize sharing
• With service providers — Third parties that help us operate our services (under strict confidentiality agreements)
• For legal compliance — When required by law, subpoena, or legal process
• For safety — To protect the rights, property, or safety of Phoenix, our users, or others
• In business transfers — In connection with a merger, acquisition, or sale of assets

You have the right to:

• Disconnect services — Revoke OAuth connections at any time through Rush settings
• Delete your data — Request deletion of your account and associated data
• Data portability — Export your session histories and artifacts
• Opt out of analytics — Contact us to opt out of non-essential analytics

To exercise these rights, contact us at privacy@getrush.ai.

GDPR (European Users): You have rights under GDPR including access, rectification, erasure, restriction of processing, data portability, and the right to object. Our legal basis for processing is contractual necessity and legitimate interests.

CCPA (California Users): California residents have the right to know what personal information is collected, to delete personal information, and to opt out of the sale of personal information. We do not sell personal information.

Rush is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children.

Your data is not used to train AI models. We send prompts to third-party LLM providers to execute agent tasks. These providers have their own policies regarding API input usage. We may use aggregated, anonymized usage patterns (not content) to improve our orchestration and infrastructure.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of Rush after changes become effective constitutes acceptance of the updated policy.

For privacy-related questions or requests:

• Email: privacy@getrush.ai
• General: support@getrush.ai

Phoenix Horizon, Inc.
Mountain View, CA
United States